BIOS

Rebuild of National Research Council systems years late: documents

A cyberattack on the National Research Council’s computer system may have compromised Canada’s scientific and industrial trade secrets.

Jordan Press, The Canadian Press
Published Saturday, January 9, 2016 9:57AM EST
Last Updated Saturday, January 9, 2016 10:17AM EST

OTTAWA -- Canada's top scientific agency will be waiting at least two more years for a new computer system to replace the one hackers infiltrated in the summer of 2014 -- and some researchers will have to rely on the old one in the meantime, documents show.

The National Research Council was forced to shut down its computer network in July 2014 after hackers repeatedly made it into systems that house sensitive research, trade secrets and personal information.

Government officials publicly blamed the attack on a highly sophisticated, Chinese state-sponsored player. China strenuously denied what they described as a baseless charge from Canadian officials.

The ensuing 12 months were supposed to have seen a $32.5-million refit of the council's networks, including a rebuilt system and new laptops for council workers as part of the technological upgrade.

The new laptops are in place, as are most enhanced security controls.

In an emailed statement, NRC spokesman Charles Drouin said a "modest investment" in the old system has been the biggest measure taken to get the council back to its usual productivity levels.

Most of the research network has been built, with the last components to be put in place by April, Drouin wrote.

"As with all networks, there will be a stabilization period were the network is fine-tuned for NRC's varied needs," the statement said. "NRC has already resumed its regular business activities to support clients and stakeholders in a secure manner."

Documents obtained by The Canadian Press under the Access to Information Act suggest that the entire process has proven to be a far more complicated project than was first envisioned.

A June 30 presentation on the project showed that rather than being done by July 2015, a new system wouldn't be fully ready until July 2018.

Even that timeline was tough to meet because of "resourcing gaps" with timelines that were "already slipping," one slide reads.

The presentation says Shared Services Canada, the government's information technology department, had hoped to have the research council back to "full business productivity" by the end of 2015.

In the meantime, some of the country's top researchers were being forced to work on the "compromised legacy system" as well as the new, more secure system as it was being built.

Keeping the system running just below full capacity was only possible through the "extreme efforts of staff" who were finding "unsustainable" work-arounds. Come summer, those efforts were "deteriorating," and labelled in the presentation as "unsustainable, not secure, costly, and growth-prohibitive."

What ensued was "growing client frustration," the storage of important research data in digital spaces that were "inaccessible and not secure," and an "immeasurable loss of innovation" as researchers were "directed away from new opportunities."

Getting back to "full business productivity" would be a major milestone for workers overseeing the project, allowing them to move the research council's files and programs --some of which are used by small groups of niche researchers -- to the new system "at a pace and at a cost that is achievable."

The cost to the research council was pegged at $20 million "and growing substantially" as work-arounds failed. The cost of ongoing delays were calculated at $800,000 per week, but the documents don't detail those calculations.

Details of the "resourcing and funding gaps" in the project have been blacked out from the documents because they are considered sensitive advice to government officials.

No one from Shared Services Canada or the National Research Council was made available for interviews about progress on the project.